Sooner is almost always better, especially when it comes to cybersecurity.
“More and more of today’s controls are network-based, so it makes sense to integrate cybersecurity from the start as part of good network design and security-focused culture,” says Corey Schoff, senior network and security engineer at Malisko Engineering Inc. “More clients are interested in cybersecurity, but they don't know what they can’t see, so we try to give them greater visibility about what’s secure and where they need to look deeper. For example, using Cisco’s Cyber Vision software shows cybersecurity-related network activity, bringing visibility to what would otherwise be anonymous traffic.”
Lee Kottke, network and security engineer at Malisko, adds these efforts are aided by the increasing automation of many cybersecurity functions. “For example, when they’re historizing device traffic or lateral movements, users can compare day-one baseline data to day-15 information, and determine what’s correct versus what’s anomalous, possibly unauthorized or a telltale sign of malicious activity,” explains Kottke.
Headquartered in St. Louis, Malisko’s IT technology and network security division is in Eau Claire, Wis., where it’s observed cybersecurity shift over the past 10 years. Malisko is a certified member of the Control System Integrators Association (CSIA).
Kottke reports more clients are approving cybersecurity projects to meet the requirements of insurers, who are demanding they address vulnerabilities in their systems. “With so many public industrial ransomware cases, IT departments are being tasked with evaluating their OT cybersecurity posture.” he says.
To fulfill these increasingly urgent requests, Schoff adds that users must get their IT and OT teams to collaborate, so they can present a united front on cybersecurity. “Everyone entrusted with using or programming industrial control systems (ICS) must subject to role-based access control (RBAC). Likewise, their organizations must also adopt zero-trust frameworks that only grant access to who requires it,” says Schoff. “This begins with strong passwords, multi-factor authentication, and elevated-privilege accounts with a reauthorization process.”
Finding common cybersecurity ground
Even though OT and IT have different perspectives and priorities for cybersecurity—mainly availability versus confidentiality and more frequent patching—Schoff reports they can begin to be brought together by software like Cyber Vision, which use network-level data to provide the information and insights each team needs, whether it’s about asset management or version control. “OT can get their asset and uptime data, and IT can get information about their network’s vulnerabilities and malicious traffic,” says Schoff. “However, because they’re both getting data from the same source, and working towards a common goal, there must also be a line of communication between IT and OT, especially so IT can know what’s happening at the OT level.”
As usual, building these lines of communication requires system integrators like Malisko to meet with IT and OT engineers as part of a cybersecurity risk assessment (cyber RA) to get the context and tribal knowledge of individuals and processes running on the plant floor. “IT teams see real benefit from tools like Cyber Vision, but they’re much more effective if OT managers are included in deciding what they’re doing,” explains Kottke. “They can add PLCs, valves or other devices that weren’t considered by IT before, tell what I/O group they’re in, show which components have a higher priority, and demonstrate what the consequences are if those devices go down. This gives everyone a much clearer picture for better operations and cybersecurity.”
Schoff and Kottke report that the latest and more numerous risks come from securing networks connected to cloud-computing services, as more and more factory data flow to cloud based applications. They advise using:
· Certificate-based authentication;
· Site-to-site virtual private networks (VPN) between cloud-computing services, and on-premise networks via tunneling VPNs; and
· Industrial demilitarized zones (iDMZ) focused specifically on brokering OT traffic, so any communications to the enterprise can be analyzed and controlled in real time.
“The next generation in cybersecurity is really micro-segmentation at the OT level for network access control (NAC),”adds Schoff. “This involves using managed Ethernet switches, working in tandem with network access control software, to define which devices are permitted to talk to other devices on the network. For example, a particular variable frequency drive (VFD) might only be allowed to talk to a particular PLC, regardless of IP or subnet. This enables cyber security to be very granular. This can be facilitated by Cisco’s Identity Services Engine (ISE), and use its TrustSec function to authenticate against the ISE server, and predefine which devices are OK to be on the network and talk to specific other devices. This improves upon the type of secure control that we have with firewalls between subnetworks. Now we can have this type of cybersecurity within functional areas in the factory and within work cells as well.”